Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-11395

CVE-2026-11395: CF7 to Webhook Plugin SSRF Vulnerability

CVE-2026-11395 is a Server-Side Request Forgery flaw in the CF7 to Webhook plugin for WordPress that enables unauthenticated attackers to make arbitrary web requests. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-11395 Overview

CVE-2026-11395 is a Server-Side Request Forgery (SSRF) vulnerability in the CF7 to Webhook plugin for WordPress, affecting all versions up to and including 5.0.0. The flaw resides in the pull_the_trigger function and allows unauthenticated attackers to make web requests to arbitrary destinations from the affected server. Attackers can use this primitive to query and modify information on internal services reachable from the WordPress host. Exploitation requires an admin-configured webhook URL that contains a Contact Form 7 field placeholder in the host segment, combined with public access to the affected form.

Critical Impact

Unauthenticated attackers can pivot through the WordPress server to reach internal-only services, including cloud metadata endpoints and administrative APIs.

Affected Products

  • CF7 to Webhook (cf7-to-zapier) plugin for WordPress, all versions through 5.0.0
  • WordPress sites exposing Contact Form 7 forms wired to vulnerable webhook configurations
  • Any internal service reachable from the WordPress host network

Discovery Timeline

  • 2026-06-18 - CVE-2026-11395 published to NVD
  • 2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-11395

Vulnerability Analysis

The vulnerability is classified as Server-Side Request Forgery under CWE-918. The CF7 to Webhook plugin integrates Contact Form 7 submissions with external webhook endpoints such as Zapier. When a form is submitted, the plugin substitutes Contact Form 7 field values into a webhook URL template, then issues an HTTP request to the resulting URL inside the pull_the_trigger function. The plugin does not restrict where the substituted host portion can point. An attacker who controls a form field that is interpolated into the URL host can redirect the outbound request to any reachable address. The flaw requires no authentication because Contact Form 7 forms are public by design.

Root Cause

The root cause is missing validation of the final webhook destination after placeholder substitution. The plugin trusts that the administrator-defined URL template is safe, but placeholder expansion happens with untrusted, user-submitted form values. When a placeholder sits inside the host segment, attacker-supplied input directly determines the request target. There is no allowlist of permitted hosts and no filtering of internal address ranges such as 127.0.0.1, 169.254.169.254, or RFC1918 networks.

Attack Vector

The attack is performed over the network with low complexity and no privileges. An attacker locates a public Contact Form 7 form on a vulnerable site and submits a value for the field that is interpolated into the webhook host segment. The submitted value can be set to an internal hostname, cloud metadata service address, or any other endpoint reachable from the WordPress server. The plugin then issues the request server-side, returning side-channel evidence through behavior, timing, or downstream effects. Relevant source locations include the request handler at class-module-cf7.php#L351 and the outbound dispatcher in class-module-zapier.php#L150, documented in the WordPress Plugin Code Snippet.

Detection Methods for CVE-2026-11395

Indicators of Compromise

  • Outbound HTTP requests from the WordPress host to internal IP ranges, localhost, or cloud metadata addresses such as 169.254.169.254
  • Contact Form 7 submissions containing host-like values (IP addresses, internal hostnames) in fields used as webhook placeholders
  • Unexpected webhook delivery failures or anomalous response sizes in plugin logs
  • Web server access logs showing repeated form submissions from a single source with varying payloads in placeholder fields

Detection Strategies

  • Inspect the plugin webhook configuration for any URL containing Contact Form 7 placeholders such as [field-name] inside the host portion
  • Correlate Contact Form 7 submission events with outbound network connections originating from the PHP worker process
  • Alert on outbound requests from the web server to private address ranges or cloud instance metadata services
  • Review WordPress audit logs for form submissions that contain URL-encoded or raw IP literals in form fields

Monitoring Recommendations

  • Enable egress logging on the WordPress host and forward DNS and HTTP telemetry to a central SIEM for analysis
  • Monitor for new or modified webhook URL templates inside the cf7-to-zapier plugin configuration
  • Track HTTP response codes returned to the form-submission endpoint for indirect signs of SSRF probing

How to Mitigate CVE-2026-11395

Immediate Actions Required

  • Update the CF7 to Webhook plugin to the version published in the WordPress Plugin Changeset addressing this issue
  • Audit every webhook URL template and remove any Contact Form 7 placeholders located in the scheme or host segment
  • Restrict outbound network access from the WordPress server to a defined allowlist of webhook destinations
  • Review the Wordfence Vulnerability Report for additional vendor guidance

Patch Information

A fix was committed in the plugin repository as referenced in the WordPress Plugin Changeset. Site administrators should upgrade beyond version 5.0.0 to a release containing the patch and confirm that webhook execution paths validate the resolved URL before issuing requests.

Workarounds

  • Reconfigure all webhook URLs so the host segment is static and only the path or query string contains Contact Form 7 placeholders
  • Deploy a network egress firewall rule blocking the WordPress host from initiating connections to RFC1918 ranges, 127.0.0.0/8, and 169.254.169.254
  • Temporarily disable affected forms or the CF7 to Webhook plugin until patching is complete
bash
# Example egress restriction using iptables on the WordPress host
iptables -A OUTPUT -m owner --uid-owner www-data -d 169.254.169.254 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 192.168.0.0/16 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 127.0.0.0/8 -j REJECT

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne